Skip to main content
Last updated: June 29, 2026Latest Frontend Version: 2.17.3

Glossary

120 terms
A
Audit QueryAudit
A structured search against the tiCrypt Audit log database. Supports filtering by time, user, action, and resource type. Returns results in under a second using ClickHouse columnar indexing.
Access PointResources
Individual URL or SFTP endpoint created for an Inbox, each with its own expiration date, upload capacity limit, and optional password protection (which cannot be viewed or changed after creation). URL access points generate a browser link for drag-and-drop file submission; SFTP access points provide credentials usable with any standard SFTP client for larger or scripted transfers. Multiple access points can exist per Inbox, each directed to a different uploader with a personalized message, and deleting all access points converts the Inbox back into a regular file directory.
Application Secure VMVM
Secure VM extended with an external network pathway to host applications that must be reachable from outside tiCrypt, such as REDCap survey interfaces. A Super Admin designates a VM as an application secure VM and configures a fixed IP address, DNS name, MAC-to-IP pinning via dnsmasq, and specific open ports (typically 443 for TLS). External traffic is routed through Nginx with URL path restrictions, so only the designated application interface is exposed while all other tiCrypt security controls remain enforced.
AkkaInfrastructure
Actor-based framework used for TCP communication between tiCrypt backend services. Each service connects to ticrypt-auth as its supervisor via persistent Akka TCP connections with periodic health pings.
AllowedlistInfrastructure
Firewall rule mechanism controlled by the ticrypt-allowedlist component that defines which external servers a secure VM can reach. Requires Super Admin authorization and operates by manipulating iptables/NFTables rules and DNS replies on the tiCrypt backend server, which acts as the sole gateway for all VM traffic. Without an explicit allowedlist entry, all outbound traffic from secure VMs is blocked. Primarily used for licensing server access (Windows activation, SAS, ArcGIS, etc.).
AES-256Formats
Symmetric encryption standard (FIPS 197) used for all data-at-rest encryption in tiCrypt. Every file, encrypted virtual drive, and protected resource is encrypted with a unique, randomly generated AES-256 key. Vault files are divided into 8 MB chunks, each encrypted independently using AES-CBC with a per-chunk initialization vector. Provides a key space of 2^256 possible keys; at 10^18 guesses per second, exhaustive search would require approximately 3.67 x 10^50 years.
Active JobsBatch
Management table displaying currently running Slurm batch processing jobs with details including job ID, submitting user, status, allocated resources (cores, memory, nodes), and execution timestamps on worker VMs.
Audit LogsManagement
Management table providing an in-application view of the tiCrypt audit trail with filtering by time, user, and action type. Supports CSV and JSON export for compliance reporting and incident investigation.
API KeysManagement
Management table for creating, viewing, and revoking authentication tokens used for programmatic access to the tiCrypt REST API. Each key has a defined purpose, creator, creation date, expiration, and hash for identification.
B
BitLockerFormats
Microsoft full-disk encryption. Used by the VM Controller to mount encrypted user drives on Windows VMs. Enabled immediately on first drive attachment before the drive is made available to the user.
C
Chain of TrustSecurity
Hierarchical chain of digital signatures that prevents key substitution attacks. A site key, whose public key is signed by a Tera Insights certificate hardwired into the server software, bootstraps the trust root of the deployment. The site key signs the first super-administrator key, which signs subsequent administrator keys. Every new user's public key is signed by an administrator's private key, cryptographically binding it to the chain. Any user can independently verify the full chain on the client side without trusting the server.
Crowd SecuritySecurity
Client-side key integrity mechanism where tiCrypt's frontend locally stores SHA-256 fingerprints (per FIPS 180-4) of every public key it has previously interacted with. When a file is shared, the frontend fetches the recipient's public key and compares it against the stored fingerprint; any discrepancy triggers an immediate alert. Because fingerprints are stored client-side and outside the server's reach, even a fully compromised server cannot swap keys without detection by any client that has previously interacted with the target user. This provides key-pinning without reliance on any centralized certificate authority.
Cryptographic IsolationSecurity
tiCrypt's method of confining Controlled Unclassified Information (CUI) through client-side AES-256 encryption and key isolation rather than physical separation of storage hardware. Every resource is encrypted at the endpoint before it reaches storage, and the storage layer never holds keys or plaintext. This allows encrypted CUI to co-reside on shared media with other tenants without confidentiality exposure, satisfying CMMC Level 2 practices SC.L2-3.13.16 (CUI at rest) and SC.L2-3.13.11 (FIPS-validated cryptography) while eliminating the need for dedicated storage appliances.
Cryptographic ErasureSecurity
Data sanitization method where destroying a resource's unique, independently generated AES-256 key renders its ciphertext permanently unrecoverable and computationally indistinguishable from random noise. No disk-level sanitization (overwrite, degauss, or physical destruction) is required, making it practical on shared storage where physical destruction is not feasible. Satisfies CMMC Level 2 practice MP.L2-3.8.3, provided the cryptography is CMVP-validated, data was encrypted before being written, and every copy of the key (including escrowed and backup copies) is verifiably destroyed.
Challenge-Response ProtocolSecurity
tiCrypt's primary authentication method: the server issues a random 32-byte nonce, the user's client signs it with their RSA private key using SHA-256, and the server verifies the signature against the stored public key. The nonce is cryptographically random and non-reusable, preventing replay attacks (CMMC practice IA.L2-3.5.4). No password is ever transmitted to or stored by the server; the password is used only locally to decrypt the user's private key. When MFA is enabled, the signed MFA certificate is bundled with the challenge response and verified independently.
CertificationRoles
Formal attestation that a user meets a specific security requirement defined within a project's security level. Certifications are created by administrators or project managers, can have an expiration date (which can be renewed or manually marked as expired), and are tied to named security requirements rather than the project as a whole. Users without the necessary certifications cannot access project-tagged resources. Revoking a certification removes the user's qualified status for that requirement.
Controller ServerVM
Backend component that serves the global configuration and the latest VM Controller binary to VMs at boot. All VMs contact this service on startup to receive the current controller version.
controller.tomlVM
TOML configuration file on the image that defines per-image VM Controller behavior: terminal access, tunneling, SFTP, lifecycle commands, user management, and FIPS mode. Set once during image preparation and applies to every VM that boots from that image. Located at /etc/ticrypt/controller.toml (Linux) or C:\Program Files\Tera Insights\tiCrypt VM Controller\controller.toml (Windows).
Cost FunctionInfrastructure
A scheduling rule combining multiple curves (VM count, vCPU, memory, devices) to compute the total placement cost for a host. The scheduler selects the host with the lowest total cost for each new VM.
CurveInfrastructure
Configuration object in ticrypt-vm.conf that computes a scheduling cost from a single numeric input (VM count, memory bytes, or device count). Available types are constant, linear, hard-soft/soft-hard (piecewise linear with soft and hard caps where cost is infinite past the hard cap), unavailable (infinite cost if any input above zero), and piecewise/low-high/high-low (switches between two sub-curves at a cutoff threshold).
Custom FieldsManagement
Management tool for creating and managing custom metadata fields for teams and projects. Supports text, number, date, and fully custom input types. Fields appear in team and project creation dialogs and can be reordered, previewed, and deleted.
D
Drive PoolResources
Libvirt storage pool providing the backing volumes for VM drives. Pools are typed by purpose (Drives, Hardware Setups, Raw Volumes, Images, ISOs, or Miscellaneous) and scoped to a realm, with a filesystem path that must exist and be writable on both the VM host and backend. Pools backed by directory, LVM, Ceph RBD, GlusterFS, and ZFS support dynamic provisioning; iSCSI requires layering LVM on top for on-demand drive creation. Pools can optionally enforce explicit storage quotas.
Data-Get VMVM
Purpose-built VM launched with newly formatted drives on an unrestricted network (br-datain) with general internet access, whose sole function is to pull external data onto those drives before they are detached and reattached to secure VMs for protected research. Like service VMs, data-get VMs operate outside the secure network and do not handle sensitive data directly, providing a controlled ingress path that keeps the secure enclave boundary intact.
Deleted UsersManagement
Management table providing a recovery interface for soft-deleted user accounts. Deleted users can be viewed and restored, though their original roles and permissions must be manually re-assigned after restoration.
DevicesManagement
Management table listing PCI and USB hardware components (GPUs, accelerators, specialized peripherals) registered in the system and available for allocation to VMs. Devices are tracked for quota management and capability assignment.
E
Escrow UserSecurity
Individual with a dedicated RSA key pair and a separate account outside the main tiCrypt system, whose public key is signed by the site key or by another authorized escrow user, establishing a chain of trust. Escrow users are organized into escrow groups, where all members of a group hold the same shard (providing redundancy). It is recommended that escrow users not be regular tiCrypt users.
Escrow GroupRoles
A group of escrow users (minimum three members) where all members hold the same recovery key shard, providing redundancy. Recovery requires one representative from each escrow group to contribute their shard. The group structure ensures no individual or single group can unilaterally recover a user's private key.
Encrypted DriveResources
Virtual storage volume whose encryption is handled inside the VM using LUKS (Linux) or BitLocker (Windows), with keys provided by the data owner and transmitted over an authenticated channel. Formatted as EXT4, BTRFS, NTFS, XFS, or ZFS, and backed by any libvirt storage pool type that supports dynamic provisioning (directory, LVM, Ceph RBD, etc.). A read-write drive can attach to only one VM at a time, while a read-only drive can attach to multiple VMs simultaneously; administrators and hypervisor root cannot access drive contents because encryption keys never persist on the boot image or infrastructure.
External Drive BuilderResources
Administrator tool for migrating large datasets (typically 5 TB and above) into the tiCrypt enclave via a prepare-seal-deliver workflow. An administrator creates a virtual drive outside tiCrypt, populates it with data, then seals it using a manifest file produced by ticrypt-driveimport, which encrypts the drive and binds decryption rights to a specific user. The sealed drive is moved into the configured libvirt storage pool and imported through the Management interface.
EnclaveVM
Secure bounded computing environment for regulated research. Combines tiCrypt's zero-knowledge encryption, network isolation (all ports blocked except tiCrypt-controlled tunnels), and tamper-evident audit controls into a CMMC Level 2 compliant workspace where data is cryptographically confined.
Escrow CertificatesManagement
Management table displaying and managing signed certificates for escrow operations, including escrow group creation certificates, user activation certificates, and deletion request certificates. Each certificate is signed by the site key to establish chain-of-trust authority.
External SFTP ServersManagement
Management table for configuring external SFTP servers that tiCrypt users and VMs can access for data transfer and integration with third-party systems. Each server entry includes connection details, credentials, and access policies.
G
Global SlurmBatch
Cluster-wide Slurm scheduler that manages physical hardware resources (CPUs, memory, nodes) and enforces fairness, quotas, and partition policies across all projects. Global Slurm sees only resource requests (cores, memory, time), never job scripts, data paths, or application code. When it schedules a job, ticrypt-host-controller starts a secure VM on each allocated node, which is then handed to ticrypt-vm-controller for provisioning into the Local Slurm cluster. Runs under a service account with no access to user data.
GroupsManagement
Collaborative collections of users with shared access to resources. Groups enable management of group membership, project classification, and group-level controls for resource organization and access delegation within tiCrypt.
H
Hash ChainAudit
Tamper-evident, append-only data structure used in tiCrypt's audit logs, deployed on an isolated system separate from the backend. Each log record is hashed using SHA-256 (FIPS 180-4), incorporating the hash of the previous record. Any modification, including insertion, deletion, or alteration, produces a detectable hash conflict. Log data is pushed from the backend over a one-way TCP connection on port 25000 with no return path, so neither administrators nor attackers with backend access can alter the record without leaving forensic evidence.
Hardware SetupInfrastructure
A tiCrypt resource specification that pairs hardware resources (CPU cores, memory, PCI/USB devices) with a VM image. Users select a hardware setup when creating a VM configuration.
Hardware ProfileInfrastructure
A server description linking CPU cores, memory, PCI devices, and a cost function. Assigned to VM host machines for scheduling. Defines the resource capacity the scheduler uses when placing VMs.
HOCONInfrastructure
Human-Optimized Config Object Notation. The configuration format used by all tiCrypt backend service files in /etc/ticrypt/. Supports includes, substitutions, and hierarchical configuration structures.
I
InboxResources
Designated directory within a user's Vault that accepts data from external parties who do not have tiCrypt accounts. Each Inbox is exposed through one or more access points (URL or SFTP endpoints), each with its own expiration date, upload capacity limit, optional password protection, and sender-facing instructions. Uploaded files land directly in the Vault owner's encrypted storage, and uploading is irreversible from the sender's perspective. Inboxes can be tagged to projects, and all access points must be deleted before contents can be transferred to a VM.
ISO ImagesManagement
Management table listing bootable or service-only installation media files (ISO format) that can be assigned to teams and users for VM provisioning, software installation, or maintenance tasks.
K
Key EscrowSecurity
Recovery mechanism for user private keys, triggered when an administrator marks an account as requiring escrow. On the user's next login, a restricted session generates a separate AES-256 recovery key shard for each escrow group (minimum three groups required), combines them into a single recovery key that encrypts the user's private key, then discards the recovery key. Each group's shard is encrypted with every member's public key for redundancy. Recovery requires representatives from every escrow group to collaborate; a missing shard from any single group makes recovery cryptographically impossible.
L
LibvirtInfrastructure
Virtualization management API used by tiCrypt to provision, control, and monitor VMs on host machines. tiCrypt connects to Libvirt on each host via SSH using an injected RSA-2048 public key.
Libvirt Storage PoolInfrastructure
Storage abstraction managed by Libvirt that provides backing volumes for VM drives, typed by purpose as Drives, Hardware Setups, Raw Volumes, Images, ISOs, or Miscellaneous. Pools are scoped to a realm with a filesystem path and optional explicit quotas. tiCrypt requires pool types that support dynamic volume creation (directory, filesystem, LVM, Ceph RBD, GlusterFS, ZFS); iSCSI pools require layering LVM on top for dynamic provisioning. tiCrypt's drive encryption is independent of the pool type, applied inside the VM rather than at the storage layer.
LUKSFormats
Linux Unified Key Setup. Used by the VM Controller to mount encrypted user drives on Linux VMs. Encrypts at the block layer beneath the filesystem (typically EXT4), so all data including filesystem structure and metadata is encrypted.
Local SlurmBatch
Full Slurm instance (with its own slurmctld, slurmd, and job queue) running inside tiCrypt's secure enclave within a project-controlled VM. Users submit jobs via standard commands (sbatch, srun, squeue, sacct) through the in-browser terminal or RDP session. Local Slurm has full visibility into job scripts, data, and execution, manages compute nodes that are themselves secure VMs with encrypted drives, and is invisible to Global Slurm and system administrators. When a job finishes, all associated VMs are destroyed and encryption keys are discarded.
Libvirt HostsManagement
Management table listing physical host machines registered in Libvirt realms that execute VMs, with state management (Enabled, Do Not Schedule, Disabled), utilization monitoring, MAC address configuration, and NAT settings for backend connectivity.
Libvirt VolumesManagement
Management table showing raw storage volumes managed by Libvirt that serve as backing storage for drives and VM images, with capacity allocation tracking and pool association.
Licensing ServersManagement
Management table for configuring external license management servers with TCP/UDP protocols, port numbers, and expiration dates. Used to manage software licenses for VM applications (Windows activation, SAS, ArcGIS, etc.) through the allowedlist firewall mechanism.
N
Nodes (Slurm)Batch
Management table listing all Slurm compute nodes available in the HPC cluster, showing hardware specifications, current state (idle, allocated, drained), and resource availability for job scheduling.
NFS MountsManagement
Management table configuring network filesystem paths that are mounted into VMs at specific slots, enabling shared read-only or read-write access to centralized storage for applications and large datasets.
O
Onboarding TemplateRoles
A reusable configuration that pre-assigns permission profiles, teams, certifications, and permissions to users during registration. Supports bulk user provisioning with consistent role and access assignments.
P
Permission ProfileRoles
Named template (called a "User Profile" in the tiCrypt interface) that bundles a role and a set of granular permissions spanning Basic Vault Interaction, Basic VM Interaction, Project Management, VM Administration, Team Interaction, and Miscellaneous categories. Administrators create, clone, and apply profiles to users in bulk. Profiles can also govern whether users may escrow their keys and whether session downgrade approval is required.
ProjectResources
Access-controlled container in tiCrypt with a name, color-coded tag, optional security levels with requirements, a principal investigator, and support for nested subprojects. Resources (files, drives, VMs, inboxes) tagged with a project are restricted to certified or active members only, and tagging is enforced at the VM level (project tag changes do not take effect until the VM restarts). Projects can be assigned to Sub-Admins for delegated management, and membership includes configurable expiration dates, roles, and restrictions.
Project TagResources
Association of a resource (file, drive, VM, or inbox) with a specific project, restricting access to certified project members only. Applied at the VM level and enforced on restart. Changing a project tag on a running VM requires a reboot for the restriction to take effect. All operations on project-tagged resources are captured in the audit log with the project identifier.
Port 22Formats
The only port permitted through the tiCrypt network infrastructure into secure VMs. The VM Controller binds to it for tunneling all user traffic. Does not run SSH; it is controlled exclusively by the VM Controller for encrypted tunnel traffic.
Past JobsBatch
Management table showing historical records of completed, canceled, or failed Slurm jobs with their final states, execution details, and performance metrics for audit and post-mortem analysis.
Project MembershipsManagement
Management table tracking user membership in projects with role definitions, configurable expiration dates, restrictions, and relationship status for access control. Members can be added individually or in bulk.
Past VMsManagement
Management table showing historical records of previously running VMs with archived logs, metadata, and creation and termination timestamps for audit trail and troubleshooting purposes.
Q
qcow2Formats
QEMU Copy-On-Write v2 disk image format. The only boot image format accepted by tiCrypt. Supports snapshots and thin provisioning.
R
Recovery KeySecurity
A single AES-256 key constructed by combining one independently generated shard from each escrow group. It encrypts the user's private key during escrow enrollment and is immediately discarded after use. Reconstruction requires a representative from every escrow group to contribute their shard; the recovery key cannot be derived if any group's shard is missing.
RealmVM
A fully independent VM execution environment with its own VM images, drives, host machines, and Libvirt storage pools. Configured in ticrypt-vm.conf. Each realm operates autonomously with its own scheduling and storage infrastructure.
RSA-2048Formats
Asymmetric key pair using 2048-bit keys with PKCS#1 v1.5 padding for encryption and RSASSA-PKCS1-v1_5 for signatures (FIPS 186-5). Generated at account creation, the single key pair supports authentication (challenge-response signing), file sharing (encrypting per-file AES-256 keys for recipients), and certificates (non-repudiation via digital signatures). PKCS#1 v1.5 is used rather than RSA-OAEP because the encrypted payload is always a fixed-format 32-byte AES key and the protocol exposes no padding-validity oracle. Provides 112 bits of security strength, approved for government use through 2030.
Resources by UserManagement
Management lookup table that displays all resources (teams, projects, drives, certifications) associated with a specific user, including registration comments and admin notes recorded at account creation.
Resources by ProjectManagement
Management lookup table providing an aggregated view of all drives, members, certifications, and security settings associated with a specific project for resource oversight.
Running VMsManagement
Management table displaying currently active virtual machines with real-time connection and management options including RDP, file transfer, terminal access, user/group administration, and the ability to stop or restart instances.
REST APIManagement
Management reference for the tiCrypt REST API, documenting available endpoints, authentication methods (API key and session token types), and request/response formats for programmatic access to tiCrypt resources.
S
Split CredentialsSecurity
Authentication hardening mechanism that splits the information needed to decrypt a user's RSA private key across two independent systems. The AES initialization vector (IV) and password salt, normally stored in the user's key file, are moved to the server and released only after successful MFA verification. Neither the client nor the server alone possesses enough information to recover the private key. An attacker who steals the key file must also defeat the MFA factor or compromise the server. Users enroll by changing their private key password, which triggers the frontend to generate and store new IV and salt values on the server.
Security RequirementsSecurity
Named conditions that users must satisfy to access project-tagged resources. Security requirements are defined at the system level and associated with security levels, which are assigned to projects. The same requirement can be reused across multiple security levels and projects. Each requirement is paired with a certification; administrators or project managers certify individual users against specific requirements. Requirements can include MFA enrollment, training completion, clearance verification, or any organization-defined criteria. Users without active certifications for all required security requirements cannot access the project.
Super AdminRoles
Highest-privilege role in tiCrypt that bypasses all permission checks and has unrestricted authority over the entire system, including deployment settings, system services, global configuration, and the ability to promote or demote any user. Some functions (deployment settings, allowedlist authorization, application secure VM designation) are reserved exclusively for Super Admins. Despite full administrative access, Super Admins are cryptographically excluded from user data because encryption keys are derived from user key pairs that the infrastructure never possesses. Deployments typically have only two to three Super Admins.
Sub-AdminRoles
Delegated administrator scoped to assigned teams or projects. Cannot access data unless explicitly shared. Can manage users, teams, and projects within their delegated scope but cannot modify system-wide settings.
Site Key AdminRoles
Offline certification authority that signs escrow certificates and deletion requests. Operates outside the main tiCrypt system with an air-gapped private key. The site key's public key is signed by a Tera Insights certificate hardwired into the server, bootstrapping the chain of trust for the entire deployment.
SubsessionResources
Temporary credential session scoped to a specific operation, most commonly VM-to-Vault direct file transfer. Created under the "Create sub-session for VM-to-Vault direct transfer" permission within Basic VM Interaction, it allows data to move between a running VM and the user's Vault without staging through the local machine.
Security LevelResources
A classification tier assigned to projects that determines which security requirements members must satisfy. Each security level defines named requirements that are paired with user certifications. Projects without a security level are accessible to any active member.
Service VMVM
Administrator-managed VM that boots on a separate, unrestricted network (br-service, VLAN-isolated from the secure network) with general internet access, used for image preparation, software installation, and package updates. Service VMs are created with a specified image, hardware cores, memory, and devices, and are managed through a VNC terminal rather than the standard tiCrypt proxy channel. Deleting a service VM removes it from the system but leaves its images intact for reuse.
SFTPFormats
One-way file transfer protocol from the user's local machine into the VM via tiCrypt Connect. Uploads only; downloads and file reads are blocked. Also used by ticrypt-sftp for external data ingestion into Vault Inboxes.
Slurm ConfigurationBatch
Management table providing a view of all Slurm cluster configuration parameters and their current values, including scheduler policies, partition definitions, and resource limits for system optimization.
Slurm DiagnosticsBatch
Management view displaying real-time Slurm diagnostics including job statistics, main scheduler performance metrics (in microseconds), backfill statistics, RPC call statistics by message type and user, and pending RPC counts for cluster health monitoring.
Sub-Admin Managed ObjectsManagement
Management table that maps teams and projects to sub-administrator accounts, enabling delegation of administrative responsibilities and temporary project management rights with optional expiration dates.
System ServicesManagement
Management table displaying all backend system services (ticrypt-auth, ticrypt-rest, ticrypt-vm, databases, etc.) with their current status, version, uptime, logs, and restart capabilities for infrastructure monitoring and management.
System SettingsManagement
Centralized configuration interface for global system parameters including organization logos, server URLs, session timeouts, XSS protection policies, user registration policies, password requirements, and UI customization options. Changes are tracked in the System Settings History.
System Settings HistoryManagement
Management table tracking all changes made to system settings, showing the previous value, new value, timestamp, and the administrator who made each change for audit and rollback reference.
T
tiCrypt ConnectProducts
Self-contained desktop application built on Wails that serves the tiCrypt frontend locally as either a standalone embedded browser or an external browser session. Authenticates all VM traffic, establishes secure TLS tunnels between the user's computer and their VMs (including RDP, terminal, file explorer, and SFTP), and provides a local filesystem bridge to the Vault via SSHFS. New features such as external SFTP support are added exclusively to the Connect Application rather than the browser version.
tiCrypt AuditProducts
Separately deployed audit platform that ingests secure logs from a tiCrypt deployment for compliance reporting, incident investigation, and system monitoring. Provides pre-built and custom queries authored in a TOML-based query builder with SQL generation, parameterized queries with autocomplete, severity-based alert monitoring (Info through Critical), data export to Excel, and chart visualization. Features role-based access control separating admin and standard user capabilities, API access tokens for programmatic integration, and object detail inspection for users, teams, files, drives, VMs, and IP addresses.
ticrypt-restBackend Services
HTTPS entry point for all client requests, reverse-proxied behind Nginx as a dedicated virtual domain with its own TLS certificate. Validates JSON request and response payloads, routes requests to internal services via Akka TCP, and exposes both an external-facing endpoint (port 443) for the tiCrypt frontend and an internal endpoint used by compute nodes for status reporting and VM registration. Also serves as the token-based API gateway for programmatic access.
ticrypt-authBackend Services
Authentication, authorization, and global coordination service that supervises all other backend services via Akka TCP connections with periodic health pings. Manages user accounts, session lifecycle, MFA certificate validation, key escrow operations (using a site-key chain of trust with sharded recovery keys), and split credentials that harden private keys by storing the AES IV and salt server-side so neither the client nor the server alone can recover a user's private key. Also enforces XSS attack response policies including automatic session termination and account locking.
ticrypt-file-managerBackend Services
Backend service managing encrypted file and directory operations in the tiCrypt Vault. File content is broken into independently encrypted 8 MB chunks (each stored as 8 MB + 64 bytes on disk, where the extra 64 bytes contain the AES initialization vector). All metadata, including directory entries, access information, and decryption keys, is stored in MongoDB rather than on the file system.
ticrypt-storageBackend Services
Low-level storage backend managing the on-disk directory structure where encrypted Vault file chunks are stored. Chunks are organized in a directory tree keyed by file ID, configured via a single path parameter, and visible only to the tiCrypt backend (not to VM hosts). Because decryption keys are held exclusively by users, the raw chunk files can be replicated to unencrypted backups or cloud storage without compliance risk.
ticrypt-vmBackend Services
Backend service managing the full VM lifecycle across all compute hosts via Libvirt over SSH (using an injected RSA-2048 public key). Organizes VMs into realms, each an independent execution environment with its own Libvirt storage pools (bricks, drives, and volumes) on a distributed file system. Uses a configurable cost-function scheduler that combines curves for VM count, vCPU, memory, and per-device-type costs to select the lowest-cost host. Supports Slurm integration for batch processing through a dual-scheduler architecture.
ticrypt-proxyBackend Services
Secure tunnel mediator between users and VMs, listening on ports 6000-6100 externally and forwarding to the port range 6000-6254 on VM hosts. Replicates traffic between two WebSocket connections (one from the user's frontend, one from ticrypt-vm-controller inside the VM) but cannot read session contents because the payload is encrypted end-to-end using RSA-2048 co-authentication and a Diffie-Hellman negotiated session key. Proxy endpoints are IP-pinned to the requesting client's address.
ticrypt-loggerBackend Services
Centralized logging service that records all system activity into a tamper-evident, SHA-256 hash-chained audit trail. A primary copy is written to a local immutable append-only file, and a second copy is streamed over TCP port 25000 to tiCrypt Audit for processing in ClickHouse. Supports configurable log rotation and multiple output drivers (file and TCP). All backend services depend on this service for audit integrity.
ticrypt-statsBackend Services
Backend service collecting system statistics and usage metrics across all tiCrypt components.
ticrypt-notificationsBackend Services
Service handling user and system notification delivery within the tiCrypt platform.
ticrypt-maintenanceBackend Services
Background service performing automated maintenance tasks, primarily the account locker, which periodically scans for user accounts that have been inactive beyond a configurable threshold and automatically locks them. Scan frequency and inactivity period are both administrator-configurable via HOCON.
ticrypt-sftpBackend Services
SFTP-based data ingestion service deployed outside the secure infrastructure perimeter, listening on port 2022. Supports both administrator-provisioned SFTP ingestion and user-created Inbox access points that generate sender-specific SFTP credentials for external collaborators. Requires a network path to the tiCrypt backend REST interface but has no access to the internal network or compute nodes.
ticrypt-mailboxBackend Services
Web-based file submission ingress service for external collaborators, deployed outside the security perimeter with only a one-way network path to ticrypt-rest. Files uploaded through the browser or CLI are encrypted with the receiving tiCrypt user's public key so only the intended recipient can decrypt them. The system auto-locks on detection of impersonation or malicious file patterns. Requires its own Nginx virtual domain and TLS certificate.
ticrypt-allowedlistBackend Services
Service controlling VM outbound network access to external licensing servers. Manipulates iptables/ipset firewall rules and DNS replies on the backend host so that, unless a specific IP-and-port mapping is configured, all outgoing VM traffic remains blocked. Works in conjunction with the tiCrypt frontend to provide a management interface and requires SuperAdmin authorization to configure.
ticrypt-host-controllerBackend Services
tiCrypt agent running on each compute node that receives Global Slurm jobs (via the job submission script) and starts secure VMs for each allocated job. Notifies the tiCrypt backend of VM creation so the VM can be handed over to ticrypt-vm-controller for provisioning. Manages the local job-tracking database and is being extended to support bare-metal Apptainer/Singularity containers as an alternative to VMs for MPI workloads requiring native network performance.
tiCrypt-host-managerBackend Services
Component coordinating between the Global Slurm scheduler and the tiCrypt backend for batch processing. In tiCrypt's dual-scheduler architecture, it bridges Global Slurm (which handles cluster-wide resource allocation, quotas, and fairness but never sees job content) with the secure Local Slurm instances that execute jobs inside encrypted VM enclaves.
ticrypt-driveimportBackend Services
Service supporting the External Drive Builder workflow, in which an administrator creates and populates a virtual drive outside of tiCrypt, then seals it using a manifest file that encrypts the drive and binds decryption and mounting rights to a specified user. The sealed drive is moved into the configured Libvirt drive pool and imported into tiCrypt via the manifest. Designed for large-scale dataset migrations (5 TB+).
ticrypt-setupBackend Services
Ansible-based installation and configuration tool and the only supported deployment method for tiCrypt backends. Distributed as a downloadable archive containing Ansible playbooks, configuration templates (inventory.ini for node inventory and ticrypt.yml for deployment parameters), and the ticrypt-setup.sh installer script. Targets both backend and worker nodes with configurable SSH access, and changes require re-running ticrypt-setup.sh to take effect.
tiauditAudit
Main audit service that hosts the audit interface, reporting engine, and query functionality for tiCrypt Audit. Provides the web-based dashboard for administrators and compliance teams.
tiaudit-loggerAudit
Background service that listens for new log entries pushed from the tiCrypt backend over TCP port 25000 and stores them in ClickHouse for columnar analysis.
tiaudit-log-uploaderAudit
Utility for backfilling historical audit logs during initial deployment or recovery scenarios. Imports archived log data into ClickHouse so the full audit trail is available for queries.
TeamResources
Resource constraint group that governs what users can consume in tiCrypt. Teams define total and per-user quotas for VM cores, memory, storage pool allocations, and devices. Every drive, VM configuration, and running VM is associated with a team, and users removed from all teams are deactivated. Teams can be assigned to Sub-Admins, and removing team quotas or setting them to zero grants unlimited resource access.
Team MembershipsManagement
Management table tracking individual user memberships within teams, enabling bulk management of team composition, user access to team-associated resources, and per-user quota enforcement.
U
User ProfileRoles
See Permission Profile. In the tiCrypt interface, "User Profile" is the display name for permission profiles that bundle roles and granular permissions for assignment to users.
UUIDFormats
Universally unique identifier assigned to each VM instance at boot by the tiCrypt backend. Used to track the VM throughout its lifecycle in logs, scheduling, and audit records.
User Accounts (Slurm)Batch
Management table listing Slurm user accounts with their resource allocation limits, fair share distribution weights, and cumulative usage metrics for managing resource consumption across the cluster.
User CertificationsManagement
Management table recording which users have been certified for which security requirements, including certification dates, expiration times, and renewal status for ongoing compliance tracking.
V
VaultProducts
tiCrypt's general-purpose encrypted file storage, independent of any VM. Serves as the audited passthrough between external data sources and VMs. All file transfers into and out of VMs flow through the Vault, ensuring every operation is logged. Files are divided into 8 MB chunks, each encrypted independently with a unique AES-256 key. External collaborators deposit data via Inboxes; users transfer files between Vault and VMs through secure subsessions.
VM ConfigurationResources
Saved template defining the complete hardware and storage setup for launching a virtual machine, including the hardware setup (image and resource profile), home drive (always read-write), optional extra drives (read-write or read-only), team, project tag, and optional preferred host or MAC address. VM configurations can be shared with co-owners who receive full read-write access to the VM, and can be spawned or stopped from both the user interface and the Management console.
VM ImageVM
The boot drive of a virtual machine, containing the operating system and the tiCrypt VM Installer. Images are immutable and reset automatically on each boot, eliminating persistent malware and rootkits. Both Linux and Windows images are supported in qcow2 format.
VM ControllerVM
Runtime program downloaded at boot by the VM Installer that enforces security policy, registers with the backend, creates user accounts, mounts encrypted drives via LUKS or BitLocker, and proxies all user traffic through the tiCrypt backend. Generates an RSA-2048 key pair at each boot for mutual authentication with the VM owner.
VM InstallerVM
Bootstrap software installed on the image. At boot, it downloads the latest VM Controller from the Controller Server, generates cryptographic keys, and manages the controller lifecycle. Also referred to as the "stub" in logs.
VM HostVM
Physical machine registered in a Libvirt realm that runs VMs, assigned a hardware profile defining available CPU cores, memory, and passthrough devices. Each host has a state (Enabled, Do Not Schedule, or Disabled), optional static address translation (NAT) settings for backend connectivity, and an optional MAC address list for NVIDIA licensing. Hosts connect to the secure, service, and data-in networks via OpenVSwitch bridges.
VirtIOFormats
Paravirtualized I/O drivers for KVM/QEMU guests. Required for Windows images to access storage and networking in the tiCrypt environment. Linux images typically include VirtIO support in the kernel.
VM Accounts (Slurm)Batch
Management table showing Slurm accounts linked to specific VM configurations, tracking raw share allocations, usage statistics, and filesystem hierarchy levels for batch processing resource management.
W
WebSocketFormats
Persistent bidirectional connection between the VM Controller and the tiCrypt backend, used to relay user sessions and commands. All session traffic is encrypted end-to-end with a Diffie-Hellman negotiated session key.
Worker VMsBatch
Management table displaying virtual machines configured to execute Slurm jobs as worker nodes within the tiCrypt secure batch processing architecture. Each worker VM runs inside the encrypted enclave and is destroyed when its job completes.
Z
Zero-Knowledge InfrastructureSecurity
tiCrypt's foundational architectural principle: the server operates on data it cannot read, manages keys it cannot use, and authenticates users without ever learning their credentials. Decryption keys never reside on the server; administrators are cryptographically excluded from user data; and a full server compromise (including root access) yields only ciphertext, computationally indistinguishable from random noise. This reduces the impact of any breach from data exfiltration to denial of service. The architecture is designed for cryptographic agility, allowing upgrade to NIST post-quantum standards (ML-KEM, ML-DSA) without changes to the server, storage layer, or security model.